When I started working in IT security many years ago, it was a very different world to what it is today. For example, Identity and Access Management platforms were extremely new. It was back in the days when companies such as Netegrity, Oblix, and Thor were still in their early days. Centralised IAM was still a vision for many organisations. In fact, most average-sized companies hadn’t even realised they needed single sign-on, never mind actually having a plan or project to deliver it. The reality was that each application had its own user store with its own password, and roles and privileges were handled in each application silo. Remember, this was before the days of standards we have come to take for granted, like SAML.
Then we moved to a more platform-based, especially around middleware. IAM as a platform started to gain adoption. Companies recognised the importance of centralising IAM, either because of internal transformation programmes, risk, or regulation.
Whilst some organisations never quite reached the nirvana of a fully-integrated IAM platform, completely automating their joiners, movers, and leavers, handling certifications, and segregation of duties etc, many did (and continue) to get value from their IAM platform. I use IAM as the example but this has spanned many areas of security as companies moved from silo’d solutions to enterprise class solutions.
There are well recognised benefits to moving away from silo’d solutions to more centralised, enterprise class capabilities across many areas of security. However, it seems that Cloud may be in danger of undoing much of that thinking and evolution.
We know that organisations are using an average of 6 cloud providers to run their workloads (State of the Cloud – Right Scale, 2016). This fits well with the cloud model of picking the best place to run different workloads. However, the challenge is that each of these cloud providers come with their own set of security controls and capabilities. In many cases, those security tools and capabilities are specific to that cloud provider’s services. This isn’t a lack of foresight on the cloud provider, but, in most cases its by design. For example, Amazon provides IAM capabilities for managing users and their access to AWS. That isn’t an enterprise IAM capability; it is specific to AWS. As Amazon’s website states:
“Use AWS Identity and Access Management (IAM) to control users' access to AWS services. Create and manage users and groups, and grant or deny access.”
There are lots of other examples of this both within Amazon and other cloud providers. Take threat detection as another example, as Amazon states:
“Amazon GuardDuty is a managed threat detection service that provides you with a more accurate and easy way to continuously monitor and protect your AWS accounts and workloads.”
Microsoft takes the same approach for threat detection:
“With Azure Security Center, you get a central view of the security state of all of your Azure resources.”
I understand their rationale for doing this, focusing on delivering capabilities for their own cloud platform, and in some cases such as IAM, it would be impossible to provide a cloud service without delivering such a capability. However, in today’s market, where organisations are taking services from multiple cloud providers, this means that companies are being forced to move back towards a silo’d aproach to security, having to configure and manage the same security capabilities separately in each cloud provider’s platform.
Security is all about bringing together knowledge to gain greater insight and intelligence into threats, risks, and attacks. It’s hard to do that from multiple, silo’d platforms. That’s before we even consider the increased cost and complexity associated with managing multiple silo’d solutions.
Therefore, it’s important when you are looking at security capabilities from cloud providers to understand how much coverage they give you across your entire estate, not just for that cloud provider, but across all of your cloud providers. We need to ensure that we don’t go back to individual security silos or we are making it too easy for the bads guys to win.
Here at Oracle we are working hard to deliver a cloud security portfolio that is heterogeneous and will support you and your organisation in delivering security solutions which work across your multiple cloud providers, whether SaaS, PaaS, or IaaS, whilst not forgetting about your existing non-cloud estate. Head over to the Oracle Cloud Security website if you want to learn more.